Enforce bandit in CI (#37689)

* enable bandit

* update

* test

* trigger tests

* update

* update

* update

* these integration tests need to be updated not to need these fixes, but I'll do that in a separate PR

---------

Co-authored-by: Scott Beddall <scbedd@microsoft.com>

eng/tox/run_bandit.py

@@ -37,10 +37,8 @@ if __name__ == "__main__":
 
     if in_ci():
         if not is_check_enabled(args.target_package, "bandit"):
-            logging.info(
-                f"Package {package_name} opts-out of bandit check."
-            )
-            exit(0)
+            logging.error("Bandit is disabled.")
+            exit(1)
 
     try:
         check_call(

tools/azure-sdk-tools/ci_tools/environment_exclusions.py

@@ -35,6 +35,9 @@ IGNORE_PACKAGES = [
     "azure-template",
 ]
 
+MUST_RUN_ENVS = [
+    "bandit"
+]
 
 def is_check_enabled(package_path: str, check: str, default: Any = True) -> bool:
     """
@@ -78,7 +81,7 @@ def filter_tox_environment_string(namespace_argument: str, package_path: str) ->
         filtered_set = []
 
         for tox_env in [env.strip().lower() for env in tox_envs]:
-            if is_check_enabled(package_path, tox_env, True):
+            if is_check_enabled(package_path, tox_env, True) or tox_env in MUST_RUN_ENVS:
                 filtered_set.append(tox_env)
         return ",".join(filtered_set)
 

tools/azure-sdk-tools/tests/integration/test_package_discovery.py

@@ -38,7 +38,6 @@ def test_discovery_omit_build():
     assert [os.path.basename(result) for result in results] == [
         "azure-core",
         "azure-core-experimental",
-        "azure-core-tracing-opencensus",
         "azure-core-tracing-opentelemetry",
         "azure-mgmt-core",
         "corehttp",
@@ -59,7 +58,6 @@ def test_discovery_omit_regression():
     assert [os.path.basename(result) for result in results] == [
         "azure-core",
         "azure-core-experimental",
-        "azure-core-tracing-opencensus",
         "azure-core-tracing-opentelemetry",
         "corehttp",
     ]
@@ -96,7 +94,6 @@ def test_discovery_honors_override():
         "azure-common",
         "azure-core",
         "azure-core-experimental",
-        "azure-core-tracing-opencensus",
         "azure-core-tracing-opentelemetry",
         "azure-mgmt-core",
     ]

tools/azure-sdk-tools/tests/test_requirements_parse.py

@@ -65,12 +65,12 @@ def test_replace_dev_reqs_relative(tmp_directory_create):
         os.path.join(expected_output_folder, "coretestserver-1.0.0b1-py3-none-any.whl"),
         os.path.join(expected_output_folder, "azure_identity-1.19.1-py3-none-any.whl"),
         os.path.join(expected_output_folder, "azure_identity-1.19.1-py3-none-any.whl"),
-        os.path.join(expected_output_folder, "azure_mgmt_core-1.4.0-py3-none-any.whl"),
-        os.path.join(expected_output_folder, "azure_mgmt_core-1.4.0-py3-none-any.whl"),
+        os.path.join(expected_output_folder, "azure_mgmt_core-1.5.0-py3-none-any.whl"),
+        os.path.join(expected_output_folder, "azure_mgmt_core-1.5.0-py3-none-any.whl"),
         os.path.join(expected_output_folder, "azure_sdk_tools-0.0.0-py3-none-any.whl[build]"),
         os.path.join(expected_output_folder, "azure_sdk_tools-0.0.0-py3-none-any.whl[build]"),
-        os.path.join(expected_output_folder, "azure_core-1.32.0-py3-none-any.whl"),
-        os.path.join(expected_output_folder, "azure_core-1.32.0-py3-none-any.whl"),
+        os.path.join(expected_output_folder, "azure_core-1.32.1-py3-none-any.whl"),
+        os.path.join(expected_output_folder, "azure_core-1.32.1-py3-none-any.whl"),
     ]
 
     requirements_before = get_requirements_from_file(requirements_file)